Microsoft Corp. said users of its Windows Millennium Edition (Me) operating system risk having their files deleted by an attacker because of what it called a critical security vulnerability. It issued a patch for the flaw Wednesday.

It has issued a patch for the Windows Me Help and Support Center where the URL (uniform resource locator) handler for the “hcp://” prefix, used to access the centre, contains an unchecked buffer.

An attacker could create a URLl that executes his or her code on the user’s computer and gives access to local files, which can then be added to, deleted or modified. The false URL could be placed on a Web page or e-mailed to the intended victim, Microsoft said.

The severity of e-mail attacks would depend on the e-mail client being used. Outlook Express 6.0 or Outlook 2002 in the user’s default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Mail Security Update, would stop automated attacks, but the user is still vulnerable if they click on the link in an e-mail. If the user had another e-mail client, the attack could be triggered automatically, Microsoft said.

In order for an attacker to be successful they would have to lure users to their own Web site or send them an HTML (Hypertext Markup Language) e-mail. If the user is running Internet Explorer 6.0 Service Pack 1, the Help and Support Center function cannot be started automatically in Outlook Express or Outlook, Microsoft said.

Would you recommend this article?

0
0
Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada